A rapper calling herself the Crocodile of Wall Street, the Department of Justice and Forbes magazine might sound like an unusual mix, but they’re actually key components in the resolution of one of cryptocurrency's biggest ever hacks.
A notorious hack and enduring mystery
The 2016 Bitfinex hack is the stuff of crypto legend and its surreal conclusion this week ensures that it will live even longer in the memory. A total of 119,754 $BTC (valued at $72 million) was stolen when hackers found their way into Bitfinex’s servers and authorised 2000 fraudulent transactions. The result was seismic. It plunged the value of Bitcoin by nearly 40%, sending shockwaves through the markets. The hackers remain at large, but after 6 years of speculation, endless tracking and bounties, two people are set to be charged with conspiracy to launder money and they’re…absolutely nothing like what you might expect.
2016 has long been a thorn in Bitfinex’s side, undermining confidence and tarnishing its reputation. Although the 119,754 $BTC theft is notable for its size, it was only the latest in a long line of smaller, less lucrative hacks that hit the embattled exchange. Worst of all, the hacker(s) was never found, with the plundered coin likely sold off to a third party via a P2P or OTC deal. Fast forward to 2020 and the stolen bitcoin was now worth over $1.3 billion. Bitfinex announced a $400 million bounty but even that didn’t bring them any closer to the stolen currency. The coins moved occasionally but nobody could trace them to a specific person.
The theft is fascinating for its mix of sophistication and extreme crudity. The stolen funds were laundered through multiple different crypto exchanges before being sent to thousands of false identities. If that sounds like the work of an expert hacker, the thieves also used the same photographs for many of the fake identities. Sloppiness like this is a theme, and a single misstep would eventually bring the coin holders down.
The unravelling began on 31st January when watchers noticed movement on wallets containing the stolen funds. Although it hadn’t previously been possible to track the coins back to their owners, investigators never took their eyes off the cash. When it started to move, they sprung into action. Curiously, funds were transferred without any attempt to disguise the transactions.
Events escalated quickly. The Department of Justice announced on 8th February that the plundered Bitcoin (now worth $3.6 billion) had been retrieved. The DOJ used emails to trace the wallets back to their owners: Ilya Lichtenstein and Heather Morgan. In a final error, when the DOJ took out a warrant to crack Lichtenstein’s cloud storage account, they found that he stored his wallet keys in a simple text document.
Introducing the Crocodile of Wall Street
This is where the story takes a turn for the surreal. When the identity of the arrested couple emerged, many were surprised to find that they hadn’t exactly been hiding in the shadows. Lichtenstein and Morgan are the very definitions of hiding in plain sight. Ilya is a cofounder of MixRank (a market analysing startup backed by Y-Combinator), but it’s Morgan who attracted the most attention.
Performing under the alias Razzlekhan, the self-proclaimed “Crocodile of Wall Street” is a prolific rapper. Already moderately famous, her profile rocketed after her links to the hack emerged. Despite a largely negative reaction to her raps on Twitter (with some users suggesting that she deserves jail time for crimes against music), her most watched video has nonetheless been viewed over 230k times. In that song, Morgan shouts out all the “hackers” and “weirdos.” She also claims that she’s a “real risk taker,” which perhaps lies behind the decision to move the stolen Bitcoin after all this time.
Her CV isn’t limited to raps and crypto laundering, either. The “Versace Bedouin” cites a long list of careers: “I’m many things, a rapper, an economist, a journalist, a writer, a CEO" she raps. At least two of those are true because Morgan is a contributor to Forbes magazine. One of her articles was about, of all things, cybersecurity. She also raps that she’s “come so far but don’t know where I’m headed,” although she might now have an answer: jail. Morgan and Lichtenstein face 25 years if convicted.
Stranger still, the pair couldn’t even access the money. They laundered it via Walmart gift cards, Uber rides and other negligible purchases from the Playstation store and Hotels.com. Although technically billionaires, they struggled to use their funds in any meaningful way, hardly living the high life. It’s possible that they finally lost patience with the situation, leading to the fateful move that triggered their arrests.
Bitfinex to reimburse its customers
Despite its surrealistic feel, the saga has some big takeaways about security and transaction transparency. For marketplaces and investors, it's a reminder that security is an ongoing process and that hackers will always find new and creative ways to break-in. For everybody else, it’s evidence that cryptocurrency transactions aren’t ever completely private. The stolen Bitcoin might have been missing for nearly six years but investigators never lost sight of it.
The recouped funds are significant for the Department of Justice. Although the coins will be returned to Bitfinex, that’s still a big chunk of crypto currently held by federal authorities. The situation speaks volumes about the government’s commitment to crypto security and infrastructure. There’s good news for Bitfinex customers, too. Although none were directly hacked in 2016, Bitfinex cut account balances by 36% to cover losses and keep trading. Customers were compensated with exchange tokens.Â
Now that the DOJ is set to return the plundered Bitcoin, Bitfinex will reimburse its customers by buying back tokens. The process is complicated because customers were initially compensated with BFX, which were redeemable or could be used to buy iFinex shares. A Recovery Rights Token (RRT) was also introduced later. The intricacies of the reimbursement scheme (and whether customers will be satisfied) remains to be seen. The returned funds represent a vast portion of liquidity suddenly injected into the market, raising speculation about the effect on BTC price. Mitigations like TWAP and OTC mean that it shouldn’t be too much of a shock, but it’s still worth keeping an eye on.
It seems fitting that one of the most dramatic hacks in crypto history has delivered one of the strangest endings. The story raises serious points about security, transparency and governmental infrastructures around crypto, but the biggest takeaway of all might be that truth sometimes really is stranger than fiction.